The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly adopted the attached final rule on the privacy of consumers' financial information. The rule takes effect on November 13, 2000, but financial institutions have until July 1, 2001, to be in mandatory compliance with the regulation.

The banking agencies' rule:

requires a financial institution to provide notice to customers about its privacy policies and practices;

describes under what conditions a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and

provides an "opt out" method for consumers to prevent the financial institution from disclosing that information to nonaffiliated third parties.

Protected Information

Under the rule, restrictions on sharing information with nonaffiliated third parties apply to "nonpublic personal information" about a consumer. Nonpublic personal information is "personally identifiable financial information" that is provided by a consumer to a financial institution, results from any transaction with or service performed for the consumer, or is otherwise obtained by the financial institution.

The rule excludes "publicly available information" from the definition of nonpublic personal information. Publicly available information is any information that an institution has a reasonable basis to believe is lawfully made available to the general public from government records, widely distributed media or disclosures to the public required to be made by federal, state or local law. To have a reasonable basis, the institution must determine three things:

whether the information is of the type available to the general public;

whether an individual may direct that the information not be made available to the general public; and

if the individual may so direct, whether he or she has not made the information available.

Privacy Policy Notice

Under the rule, financial institutions must provide a clear and conspicuous notice that accurately reflects their privacy policies and practices. The notice must be given to any individual who becomes a customer of the financial institution by the time the customer relationship is established, and annually as long as the relationship continues. Also, the notice must be given to any consumer who does not become a customer before nonpublic personal information about the consumer may be shared with nonaffiliated third parties.

Opt Out Requirement

Before an institution can share nonpublic personal information with nonaffiliated third parties, consumers must be given a reasonable opportunity to "opt out" from having that information shared. The opt out notice must be given to:

customers as a part of the initial notice of the financial institution's privacy policies and practices, or prior to sharing nonpublic personal information about them with nonaffiliated third parties; and

individual consumers who do not become customers of the financial institution, and former customers, before nonpublic personal information about them may be shared with nonaffiliated third parties.

The rule does provide certain exceptions that permit a financial institution to share nonpublic information with third parties without providing privacy or opt out notices. These exceptions include disclosures of nonpublic personal information made in connection with certain processing and servicing transactions; with the consent of or at the direction of the consumer; to protect against potential fraud or unauthorized transactions; and to respond to judicial process.

The rule provides sample model clauses (Appendix A in the attachment) that a financial institution may use to develop its own initial and annual privacy notices.